Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2421
Views
0
Helpful
2
Replies

Nexus 1000V netflow export

cinc101
Level 1
Level 1

‎02-14-2012 01:37 PM

I have configured the N1KV to export netflow records to our netflow collector. I have been using the pre-defined flow records and have tried both the netflow-original and netflow ipv4 original-input.

Our netflow collector can decipher the flows themselves but cannot determine what interface they are being originated from (and attribute the flow). Our software is looking for the ifindex value to determine the interface. I assume that they're missing in the export (even though included in the flow record template)

When trying to decode the netflow packets using the wireshark netflow v9 decoder they do not decode indicating that the records are possibly malformed for whatever reason.

Has anyone tried to configure netflow on the nexus 1000v and experienced similar problems?

TIA

Labels:
0 Helpful
2 Replies 2

cinc101
Level 1
Level 1

‎02-15-2012 01:50 PM

I've done some more research on this issue and found that to successfully decode the v9 records in wireshark, I needed to capture a record which contained the template somewhere in my capture otherwise I cannot successfully decode it.

I found this gem of a command template data timeout under the flow exporter configuration which allowed me to force the export of the template to happen more frequently. I can now successfully decode the packets.

I believe this issue now lies in the fact that the ifindex values generated in the N1KV are lenghty (8-9 digits) which possibly cannot be processed by our netflow software as I suspect this field is expected to be up to 32 bits.

Raising a ticket with our vendor on that one.

Does anyone know if there is any way to reset or re-compute the snmp ifindex value and possibly make it smaller on this platform?

0 Helpful

jakewilson
Level 1
Level 1

‎02-19-2012 01:06 AM

Hello,

Michael Patterson wrote about viewing NetFlow from the nexus 1000v. I'm not aware of any issues using Scrutinizer NetFlow Analyzer.   

Regarding wireshark, netfow templates and viewing data: make sure you open the last packet first.  This forces wireshark to go back through the capture and find the template.  Your point about needing the template in the capture is paramount!  If you continue to have issues, contact plixer with a packet capture and we'll figure out what is wrong.

Jake

0 Helpful
Customers Also Viewed These Support Documents